From 7056cf7614f8a3c621e0b2b11f8e84419f1d9c37 Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Fri, 19 Mar 2021 15:05:28 +0100 Subject: [PATCH] FIX #yogosha5675 --- htdocs/user/group/card.php | 15 +++++++-------- htdocs/user/group/list.php | 26 +++++++++++++++----------- htdocs/user/list.php | 8 ++++---- 3 files changed, 26 insertions(+), 23 deletions(-) diff --git a/htdocs/user/group/card.php b/htdocs/user/group/card.php index 05945c02855..0d6d413ba0f 100644 --- a/htdocs/user/group/card.php +++ b/htdocs/user/group/card.php @@ -57,14 +57,6 @@ $backtopage = GETPOST('backtopage', 'alpha'); $userid = GETPOST('user', 'int'); -// Security check -$result = restrictedArea($user, 'user', $id, 'usergroup&usergroup', $feature2); - -// Users/Groups management only in master entity if transverse mode -if (!empty($conf->multicompany->enabled) && $conf->entity > 1 && $conf->global->MULTICOMPANY_TRANSVERSE_MODE) { - accessforbidden(); -} - $object = new Usergroup($db); $extrafields = new ExtraFields($db); // fetch optionals attributes and labels @@ -77,6 +69,13 @@ $object->getrights(); // Initialize technical object to manage hooks. Note that conf->hooks_modules contains array $hookmanager->initHooks(array('groupcard', 'globalcard')); +// Security check +$result = restrictedArea($user, 'user', $id, 'usergroup&usergroup', $feature2); + +// Users/Groups management only in master entity if transverse mode +if (!empty($conf->multicompany->enabled) && $conf->entity > 1 && $conf->global->MULTICOMPANY_TRANSVERSE_MODE) { + accessforbidden(); +} /** diff --git a/htdocs/user/group/list.php b/htdocs/user/group/list.php index 7281bc93639..edd34dfe9b8 100644 --- a/htdocs/user/group/list.php +++ b/htdocs/user/group/list.php @@ -28,17 +28,6 @@ require '../../main.inc.php'; require_once DOL_DOCUMENT_ROOT.'/user/class/usergroup.class.php'; -if (!empty($conf->global->MAIN_USE_ADVANCED_PERMS)) { - if (!$user->rights->user->group_advance->read && !$user->admin) { - accessforbidden(); - } -} - -// Users/Groups management only in master entity if transverse mode -if (!empty($conf->multicompany->enabled) && $conf->entity > 1 && $conf->global->MULTICOMPANY_TRANSVERSE_MODE) { - accessforbidden(); -} - // Load translation files required by page $langs->load("users"); @@ -78,6 +67,21 @@ $fieldstosearchall = array( 'g.note'=>"Note" ); +if (!empty($conf->global->MAIN_USE_ADVANCED_PERMS)) { + if (!$user->rights->user->group_advance->read && !$user->admin) { + accessforbidden(); + } +} + +// Users/Groups management only in master entity if transverse mode +if (!empty($conf->multicompany->enabled) && $conf->entity > 1 && $conf->global->MULTICOMPANY_TRANSVERSE_MODE) { + accessforbidden(); +} + +if (!$user->rights->user->user->lire && !$user->admin) { + accessforbidden(); +} + /* * Actions diff --git a/htdocs/user/list.php b/htdocs/user/list.php index f9703116d62..aef0d3e31c9 100644 --- a/htdocs/user/list.php +++ b/htdocs/user/list.php @@ -31,10 +31,6 @@ if (!empty($conf->categorie->enabled)) { require_once DOL_DOCUMENT_ROOT.'/categories/class/categorie.class.php'; } -if (!$user->rights->user->user->lire && !$user->admin) { - accessforbidden(); -} - // Load translation files required by page $langs->loadLangs(array('users', 'companies', 'hrm', 'salaries')); @@ -185,6 +181,10 @@ if (!empty($conf->global->MAIN_USE_ADVANCED_PERMS)) { $error = 0; +if (!$user->rights->user->user->lire && !$user->admin) { + accessforbidden(); +} + $childids = $user->getAllChildIds(1);